On Fri, 30 Nov 2001, Paul Krumviede wrote:

> while this would suppress the warnings, what would happen
> if one wanted to restart the ipsec stuff, perhaps because of
> a config file change, when in enforcing mode? it would seem
> that stopping the service would fail (actually, it would look like
> it worked, but because _realsetup wouldn't think that pluto is
> running, pluto wouldn't be shut down) and i don't know what
> would be the result of the subsequent start.

As long as _realsetup is running in ipsec_t, it should be able to see the pluto daemon and kill it. But I'm wondering if _realsetup should really run in a separate domain (e.g. ipsec_client_t) that can see the ipsec_t domain and communicate with it, but cannot directly access PF_KEY sockets.

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com




--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.